[pkgsrc/trunk]: pkgsrc/net/dnsmasq dnsmasq: update to 2.78.

[wiz <wiz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/4f97a4c38ba8
branches:  trunk
changeset: 369669:4f97a4c38ba8
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Mon Oct 02 15:50:55 2017 +0000

description:
dnsmasq: update to 2.78.

version 2.78
        Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
        Novakovic for the patch.

        Revert ping-check of address in DHCPDISCOVER if there
        already exists a lease for the address. Under some
        circumstances, and netbooted windows installation can reply
        to pings before if has a DHCP lease and block allocation
        of the address it already used during netboot. Thanks to
        Jan Psota for spotting this.

        Fix DHCP relaying, broken in 2.76 and 2.77 by commit
        ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
        John Fitzgibbon for the diagnosis and patch.

        Try other servers if first returns REFUSED when
        --strict-order active. Thanks to Hans Dedecker
        for the patch

        Fix regression in 2.77, ironically added as a security
        improvement, which resulted in a crash when a DNS
        query exceeded 512 bytes (or the EDNS0 packet size,
        if different.) Thanks to Christian Kujau, Arne Woerner
        Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
        chasing this one down.  CVE-2017-13704 applies.

        Fix heap overflow in DNS code. This is a potentially serious
        security hole. It allows an attacker who can make DNS
        requests to dnsmasq, and who controls the contents of
        a domain, which is thereby queried, to overflow
        (by 2 bytes) a heap buffer and either crash, or
        even take control of, dnsmasq.
        CVE-2017-14491 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
        Kevin Hamacher and Ron Bowes of the Google Security Team for
        finding this.

        Fix heap overflow in IPv6 router advertisement code.
        This is a potentially serious security hole, as a
        crafted RA request can overflow a buffer and crash or
        control dnsmasq. Attacker must be on the local network.
        CVE-2017-14492 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
        and Kevin Hamacher of the Google Security Team for
        finding this.

        Fix stack overflow in DHCPv6 code. An attacker who can send
        a DHCPv6 request to dnsmasq can overflow the stack frame and
        crash or control dnsmasq.
        CVE-2017-14493 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
        Kevin Hamacher and Ron Bowes of the Google Security Team for
        finding this.

        Fix information leak in DHCPv6. A crafted DHCPv6 packet can
        cause dnsmasq to forward memory from outside the packet
        buffer to a DHCPv6 server when acting as a relay.
        CVE-2017-14494 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
        Kevin Hamacher and Ron Bowes of the Google Security Team for
        finding this.

        Fix DoS in DNS. Invalid boundary checks in the
        add_pseudoheader function allows a memcpy call with negative
        size An attacker which can send malicious DNS queries
        to dnsmasq can trigger a DoS remotely.
        dnsmasq is vulnerable only if one of the following option is
        specified: --add-mac, --add-cpe-id or --add-subnet.
        CVE-2017-14496 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
        Kevin Hamacher and Ron Bowes of the Google Security Team for
        finding this.

        Fix out-of-memory Dos vulnerability. An attacker which can
        send malicious DNS queries to dnsmasq can trigger memory
        allocations in the add_pseudoheader function
        The allocated memory is never freed which leads to a DoS
        through memory exhaustion. dnsmasq is vulnerable only
        if one of the following option is specified:
        --add-mac, --add-cpe-id or --add-subnet.
        CVE-2017-14495 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
        Kevin Hamacher and Ron Bowes of the Google Security Team for
        finding this.

diffstat:

 net/dnsmasq/Makefile |   4 ++--
 net/dnsmasq/distinfo |  10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diffs (28 lines):

diff -r f51e01e6e923 -r 4f97a4c38ba8 net/dnsmasq/Makefile
--- a/net/dnsmasq/Makefile      Mon Oct 02 15:46:53 2017 +0000
+++ b/net/dnsmasq/Makefile      Mon Oct 02 15:50:55 2017 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.34 2017/06/02 08:37:49 adam Exp $
+# $NetBSD: Makefile,v 1.35 2017/10/02 15:50:55 wiz Exp $
 
-DISTNAME=      dnsmasq-2.77
+DISTNAME=      dnsmasq-2.78
 CATEGORIES=    net
 MASTER_SITES=  http://www.thekelleys.org.uk/dnsmasq/
 EXTRACT_SUFX=  .tar.xz
diff -r f51e01e6e923 -r 4f97a4c38ba8 net/dnsmasq/distinfo
--- a/net/dnsmasq/distinfo      Mon Oct 02 15:46:53 2017 +0000
+++ b/net/dnsmasq/distinfo      Mon Oct 02 15:50:55 2017 +0000
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.33 2017/06/02 08:37:49 adam Exp $
+$NetBSD: distinfo,v 1.34 2017/10/02 15:50:55 wiz Exp $
 
-SHA1 (dnsmasq-2.77.tar.xz) = 7afdb6bb017d67576cd3603c69070235a9dce57c
-RMD160 (dnsmasq-2.77.tar.xz) = eb47de3dca460f972d6641285db11707fcde3cd8
-SHA512 (dnsmasq-2.77.tar.xz) = 6ca98a71a8fdfd606e29c58b34dadfa63148c39f931570cca67a287e044d52c6ec2f8acbf5620ada3312e9db3a2fd63877188d829c070beaa730607e3309e768
-Size (dnsmasq-2.77.tar.xz) = 487244 bytes
+SHA1 (dnsmasq-2.78.tar.xz) = 07d452c0a18637a9d4e2751e57971b493631bb23
+RMD160 (dnsmasq-2.78.tar.xz) = a724387aeb5ea46080b85caac6bddc9bb04a5814
+SHA512 (dnsmasq-2.78.tar.xz) = 9b79b84e5a768d52f90f6335ccef2c404ecd7a13e78e49f4cd0755fffc6cf34d0dc96ad4c72cad1dab3c5743a8d0d789b3e9b6e625b03c5675bb898ca61a698b
+Size (dnsmasq-2.78.tar.xz) = 489172 bytes
 SHA1 (patch-src_bpf.c) = 05dc64c016c608e6b963ce9ee80c28e872a88f9e